Cybersecurity Threats in Healthcare: Ascension’s Disruption and Change Healthcare’s Ransomware Attack Highlight the Need for Industry Regulation

In recent news, Ascension, a major health care system with over 140 hospitals in 19 states and Washington, D.C., experienced a “cyber security event” on Wednesday. This event has resulted in significant disruptions to clinical operations within the company. The impact of this disruption has been particularly felt in several states, including Kansas, Florida, and Michigan.

One of the major consequences of this disruption is that physicians in Michigan are now required to write everything on paper due to the cyber security event. This has taken medical facilities back to the technology levels of the 1980s or 1990s.

This attack comes at a time when lawmakers and federal regulators are still grappling with the aftermath of the February attack on Change Healthcare. This attack exposed private data on a significant number of Americans, according to company estimates. Change Healthcare admitted to paying $22 million to the ALPHV ransomware group, which then shut down its site. An affiliate who was allegedly involved in the attack took 4 terabytes of data to another extortion site after being cut out of the proceeds.

The situation with Change Healthcare has reignited conversations about establishing minimum cybersecurity standards for the hospital industry. Industry groups have expressed their commitment to fighting against such standards, but healthcare remains one of the most targeted sectors by ransomware operators, likely due to its intolerance for long-term service disruptions and operators’ inclination towards extortions as indicated by cybersecurity firm Emsisoft.